Storage Proofs
Curve
DeFiLayer 1Layer 2
14,723 OP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Calculation Incosistency in `ScrvusdOracle` could lead to disruption and confusion.

summer

Summary

The MAX_V2_DURATION constant in the ScrvusdOracle contract is defined as 4 * 12 * 4 = 192 weeks with a comment indicating "4 years," but 192 weeks is actually closer to 3.69 years, creating a documentation/code inconsistency.

Vulnerability Details

In the ScrvusdOracle contract, the MAX_V2_DURATION constant is defined as:

MAX_V2_DURATION: constant(uint256) = 4 * 12 * 4 # 4 years

The calculation yields 192, which is commented as "4 years". If each period is a week (as suggested by the default profit_max_unlock_time of 7 days), then 192 weeks is approximately 3.69 years, not 4 years.

Meanwhile, also the constructor initializes:

self.max_v2_duration = 4 * 6 # half a year

This is indeed 24 weeks, which is approximately half a year.

  • Given that one period is one week, exactly 4 years should be calculated as (4 * 13 * 4 = 208 weeks). In the provided code, the constant is set to (4 * 12 * 4 = 192 weeks), which is appr. to 3.7 years. Therefore, if the intended duration is truly 4 years, the constant should be updated to 208 weeks, or the comment should be adjusted to reflect that 192 weeks is used (about 3.7 years).

Impact

The likelihood of this causing problems is low, but if the intention of the protocol was to make use of 4years as the documentation included, then theres very high possibility of very severe disruption

Tools Used

Manual Review

Recommendations

Adjust the CONSTANT to match the 4-year intent or explicitly document the 3.7 year duration.

Updates

Lead Judging Commences

0xnevi Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

[invalid] finding-MAX_V2_DURATION

This is simply an approximation. I don't believe there is any incorrect logic here, given as long as this duration of growth is consistently applied, there will arguably be no incorrect oracle prices here. Additionally, I highly doubt there will be a instance where 48 weeks has passed since the last update.

Appeal created

summer Submitter
5 months ago
0xnevi Lead Judge
5 months ago
0xnevi Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

[invalid] finding-MAX_V2_DURATION

This is simply an approximation. I don't believe there is any incorrect logic here, given as long as this duration of growth is consistently applied, there will arguably be no incorrect oracle prices here. Additionally, I highly doubt there will be a instance where 48 weeks has passed since the last update.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.